Forum Discussion

fabiblack_18546's avatar
fabiblack_18546
Icon for Nimbostratus rankNimbostratus
Oct 13, 2015

apd logs User Plain Text Password when in Debug Mode!

Hello,

we have a big Problem with our F5.

We found out, that the F5 logs the Plain Text Password of all users that use our Client initiated SSO's. THIS should not be the case! How could this "Feature" get through QA on F5's behalf? The F5 always censors passwords for good and i don't get why in this particular Case this doesn't apply.

But enough of me rambling about this, i am as good as fired for this anyway... I want to ask how we can avoid this in the future. Disabling the debug mode alone is not sufficient because I cannot guarantee that one of my fellow admin can enable the debug mode and steal passwords from all Users.

You have to meet the following requirements that this problem ocurs: * Have a Client initiated SSO like the Exchange IAPP * Debug Log Level for "Access Policy"

When you meet those requirements, you can go into /var/log/apm and simply search for "password:"

You will find the messages like this:

    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 663 Msg: //=========================================
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 664 Msg:  Request received
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 665 Msg: //-----------------------------------------
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 63 Msg: bytes_received: 339, len: 339
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 87 Msg: first header received: POST /my.policy HTTP/1.1
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 310 Msg: HTTP Method received: POST
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 339 Msg: HTTP URI received: /my.policy
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 384 Msg: HTTP major version received: 1
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 385 Msg: HTTP minor version received: 1
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: Content-Length: 55
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, content-length: 55
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: client-session-id: 18d2879417a0fb3009afddf358621dea
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, client-session-id: 18d2879417a0fb3009afddf358621       Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: session-key: 8871001d1fb63f014eecb81158621dea
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, session-key: 8871001d1fb63f014eecb81158621dea
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: profile-id: /MyComp/PTAexchange1.4.app/exch_access
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, profile-id: /MyComp/PTAexchange1.4.app/exch_access
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: session-id: 58621dea
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, session-id: 58621dea
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: snapshot-id: 18a28c096a6_5ooooooooooooooooooo
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, snapshot-id: 18a28c096a6_5ooooooooooooooooooo
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: cmp-pu: 1
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, cmp-pu: 1
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 82 Msg: Complete header received: 284
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parsePostParam()" line: 474 Msg: Param received, username: Admin
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parsePostParam()" line: 474 Msg: Param received, password: Admin_Password!
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: HTTPParser.cpp func: "parsePostParam()" line: 474 Msg: Param received, vhost: standard
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 681 Msg: Received Session Id: "58621dea"
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 683 Msg: Received Profile Id: "/MyComp/PTAexchange1.4.app/exch_access"
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 685 Msg: request-from: ""
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 687 Msg: clientless-mode: ""
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 689 Msg: no-inspection-host-mode: ""
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 691 Msg: Received CMP Process Unit: "1, mc = 0x5ca10f44"
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 693 Msg: start processing of the access policy
    Oct 13 08:37:04 F5 debug apd[12167]: 01490011:7: 58621dea: Logon agent: ENTER Function executeInstance
    Oct 13 08:37:04 F5 debug apd[12167]: 01490000:7: modules/LogonPage/SimpleLogonPage/SimpleLogonPageAgent.cpp func: "SimpleLogonPageAgentexecuteInstance()" line: 1134 Msg: SCIM session state variables: Request Type : Request Domain : GroupName : UserName : ClearCache:0
    Oct 13 08:37:04 F5 notice apd[12167]: 01490010:5: 58621dea: Username 'Admin'

As you can see the HTTPParser.cpp func: "parsePostParam()" line: 474 is the culprit!

So how can we avoid this in the future? A strict trust agreement will not work i am afraid. Any Input in this matter is highly appreciated!

Best Wishes!

2 Replies